Hi,
This is a continuation of my previous post on website security. In this I will be discussing about SQL injection and spamming web forms. So coming to SQL injection.
1. SQL Injection
SQL Injection is possibly one of the easiest way for a professional hacker to tamper your database. The idea is to customize the internal SQL query according to the hackers choice. This happens when the users input from textbox/textarea are not filtered before executing them in a SQL query. This might sound a little complicated, but the solution to it is not. Consider the following query:
mysql_query("SELECT * from employees where username='".$_POST['user_name']."'");
The above statement simply takes the input entered in a text box, "user_name" and binds it in a SQL query. Now in case of SQL Injection, assume the value of $_POST['user_name'] is entered as:
' or '1'='1
So the final query becomes:
mysql_query("SELECT * from employees where username='' or '1'='1');
This will make the SQL query to return positive results even if the user has entered incorrect username, because of the "OR" part of the query. This is breaking the security check. The above example is just 1 scenario of breaking into a SQL query. There can be many ways of customizing the query and breaking the security. The pretty basic way to stopping it is to filter your inputs by using addslashes() before binding the user input with the SQL query as follows:
mysql_query("SELECT * from employees where username='".addslashes($_POST['user_name'])."'");
This is add a "\" before every single quote, thus the final query would be:
mysql_query("SELECT * from employees where username='\' or \'1\'=\'1');
Thus the query wont execute. But again this is just a basic idea of SQL injection. Rest is upto your imagination. Hackers can put in a drop statement, a table create statement and literally any statement they want if filters are not added before query execution. Use mysql_real_escape_string() as follows:
mysql_query("SELECT * from employees where username='".mysql_real_escape_string($_POST['user_name'])."'");
for filtering
2. Spamming Web Forms
Spamming has been a topic of discussion for a long long time. The preliminary definition of spamming is to send unwanted emails. But over the years it has taken great leaps and bounds. Coming to the basic of spamming. You have a business or website. Somehow get hold of bunch of email addresses via the internet. Email addresses of people you do not know and who may not be interested in your website or business. Now you mail them all, promoting your business. That becomes a spam to them. Because those emails are unwanted for the recipient.
In modern times, spamming takes place all different kinds. One of them is spamming though webforms. Consider we have the following:
<form method="post" action="http://mywebsite.com/submit.php">
<input type="text" name="username"> <input type="submit" value="Register">
</form>
Now a spammer can create a custom form in his server which is exactly like the above and keep posting junk messages through that form on a regular interval via a loop etc, which actually gets stored in your database. Thus spamming. As because the data posted is not posted from the form in your website, rather from an external source. So the most basic form of checking that is by putting a captcha.
The idea of captcha is to create a session variable specific to each form submit. Now the session variable is displayed in a dynamically generated image (click here for custom captcha). The user enters the captcha value in an extra textbox. When the form is submitted the value of the textbox is matched with that of the session. If it matches, only then database is updated.
This is helpful because the session variable resides in your server and the value it is generating is random, thus the spammer won't get that, and your captcha validation code will prevent posts from external sources.
That's all for now. Hope to add more post on website security
This is a continuation of my previous post on website security. In this I will be discussing about SQL injection and spamming web forms. So coming to SQL injection.
1. SQL Injection
SQL Injection is possibly one of the easiest way for a professional hacker to tamper your database. The idea is to customize the internal SQL query according to the hackers choice. This happens when the users input from textbox/textarea are not filtered before executing them in a SQL query. This might sound a little complicated, but the solution to it is not. Consider the following query:
mysql_query("SELECT * from employees where username='".$_POST['user_name']."'");
The above statement simply takes the input entered in a text box, "user_name" and binds it in a SQL query. Now in case of SQL Injection, assume the value of $_POST['user_name'] is entered as:
' or '1'='1
So the final query becomes:
mysql_query("SELECT * from employees where username='' or '1'='1');
This will make the SQL query to return positive results even if the user has entered incorrect username, because of the "OR" part of the query. This is breaking the security check. The above example is just 1 scenario of breaking into a SQL query. There can be many ways of customizing the query and breaking the security. The pretty basic way to stopping it is to filter your inputs by using addslashes() before binding the user input with the SQL query as follows:
mysql_query("SELECT * from employees where username='".addslashes($_POST['user_name'])."'");
This is add a "\" before every single quote, thus the final query would be:
mysql_query("SELECT * from employees where username='\' or \'1\'=\'1');
Thus the query wont execute. But again this is just a basic idea of SQL injection. Rest is upto your imagination. Hackers can put in a drop statement, a table create statement and literally any statement they want if filters are not added before query execution. Use mysql_real_escape_string() as follows:
mysql_query("SELECT * from employees where username='".mysql_real_escape_string($_POST['user_name'])."'");
for filtering
2. Spamming Web Forms
Spamming has been a topic of discussion for a long long time. The preliminary definition of spamming is to send unwanted emails. But over the years it has taken great leaps and bounds. Coming to the basic of spamming. You have a business or website. Somehow get hold of bunch of email addresses via the internet. Email addresses of people you do not know and who may not be interested in your website or business. Now you mail them all, promoting your business. That becomes a spam to them. Because those emails are unwanted for the recipient.
In modern times, spamming takes place all different kinds. One of them is spamming though webforms. Consider we have the following:
<form method="post" action="http://mywebsite.com/submit.php">
<input type="text" name="username"> <input type="submit" value="Register">
</form>
Now a spammer can create a custom form in his server which is exactly like the above and keep posting junk messages through that form on a regular interval via a loop etc, which actually gets stored in your database. Thus spamming. As because the data posted is not posted from the form in your website, rather from an external source. So the most basic form of checking that is by putting a captcha.
The idea of captcha is to create a session variable specific to each form submit. Now the session variable is displayed in a dynamically generated image (click here for custom captcha). The user enters the captcha value in an extra textbox. When the form is submitted the value of the textbox is matched with that of the session. If it matches, only then database is updated.
This is helpful because the session variable resides in your server and the value it is generating is random, thus the spammer won't get that, and your captcha validation code will prevent posts from external sources.
That's all for now. Hope to add more post on website security
No comments:
Post a Comment